It's official: Deploying Facebook's 'Like' button on your website makes you a joint data slurper Organisations that deploy Facebook's ubiquitous "Like" button on their websites risk falling foul of the General Data Protection Regulation following a landmark ruling by the European Court of Justice. The EU's highest court has decided that website owners can be held liable for data collection when using the so-called "social …
Correct me if I'm wrong (hardly a web developer myself), but as far as I can tell, the buttons use media hosted on El Reg servers and do not run scripts from FarceBook or Twatter. So I see no obvious way that the information about El Reg visitors is shared with them automatically...
It's very difficult for anyone to know what javascript or what host applications are run when a button is clicked, or hovered over, or even rendered. NoScript and uMatrix are good ways to stop the JS cascades from stealing your cookies, but BuckFace can also have the host run lots of backend software when you visit the page.
It's very difficult for anyone to know what javascript or what host applications are run when a button is clicked
That's why I block Javascript by default. I have no problem enabling it on sites where I need the information, in which case I am aware of the potential risk I take (and could theoretically inspect what is about to happen, but let's be honest, few of us do) but by default it's off.
That's the same as locking your car door by default, even if you live in a safe neighbourhood - just good habits.
"That's the same as locking your car door by default"
Not really. Locking my car doesn't cripple its ability to be driven. What you're doing is more like replacing the windscreen with ply and removing the wheels. Sure, you can still sit in the car but you won't get very far until you put it back to a state that supports driving. Almost nothing on the modern Internet works without Javascript, so really you're causing yourself no end of problems while simultaniously giving no bother whatsoever to Facebook and the like. Who still made billions, probably using some of your data provided by friends.
News websites, in particular, are guilty of really excessive scripting (for ads natch). I use NoScript to block the scripts that have no value (to me) but I can still use the sites (and log in if I so desire - I have a subscription to one of them).
If I enable all the scripts (as happens in Chrome) it maxes out a core of my laptop. NoScript helps to prevent this.
One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely).
"One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely)."
This ^.
I'd like to be able to visit a site, see a (non-JS, obviously) link that lists the domains/scripts that need to be run for basic functionality - so I can enable scripting for those domains, and the retailer has the opportunity to take some of my money off me.
But, being a cynical old fart, I just know that there will be sites listing domains from which they earn money (i.e. advertising) as necessary script sources, which puts us right back into square one of enabling them carefully, one by one, until we hit the right ones.
all the javascript on the page must be audited
A commonly-heard defence is that "the payment page is hosted by the payment service provider, so it must be secure". Then it turns out that the payment service merely provided a template into which the merchant has incorporated a plethora of scripts plucked seemingly at random from all corners of the internet.
One thing I really want to see (particularly for e-commerce sites) is a list of domains that need to run scripts for transactions to actually complete. (Whether they should actually need to run scripts is another matter entirely).
Install uBlock Origin and open the logger before you open the page and you can see it all. At that point it's time to choose :)
To block malware. Works better than AV software. Esp. Zero day exploits. Both BBC & CNN have served malware because the greedy people selling adverts that they use don't vet advertisers and the ads use 3rd party javascript.
3rd party javascript should be illegal.
I like the idea that 3rd party scripts (and cookies whilst we are at it) become illegal... Or at the very least blocked by default in browsers.
As someone who develops sites/services, it really wouldn't be a issue... Admittedly marketing would go ape **** about not having every known gadget, widget, tracking, metric sucking plague installed on the page...
Could we do a deal? No 3rd party anything... But whilst we are at it, let's rework the stupid cookie related laws to dump the "do you accept" popups on every site.
That should be a browser based policy too.
I don't know which internet you're using but the one I use works just fine with all the snooping shit disabled by blockers.
Unless by "modern" Internet you mean all the pop ups, auto playing ads and the rest of the garbage then you are right, none of that works, which is exactly the result I'm after.
If I HAVE to use a site that is unusable without JavaScript then just the bare minimum required gets enabled, causes me no problems at all really.
"I don't know which internet you're using but the one I use works just fine with all the snooping shit disabled by blockers."
You're confusing "disabling snooping shit" with turning off JavaScript. Ad blockers don't turn off JavaScript they target evil things. Try actually turning off JavaScript and see how far you get...
I'm not confused by anything, although you seem to have a problem with reading comprehension, I DO disable JS at all times and enable just the minimum as needed, as I said not a problem and also has the benefit of stopping exploits such as Browser fingerprinting which depend on JS to work.
I use both NoScript and AdBlockPlus - both are needed. (Some sites do not work with AdBlockPlus alone as scripts check for the presence of ad blockers and disable the use of the site if detected - NoScript stops the detection of the ad blockers. )
With the exception of a few sites such as eBay for which JavaScript is necessary - if a site requires Javascript for browsing then I will not use it.
Disabling JavaScript also stops a large proportion of the malicious content on the internet from doing damage.
To maintain your privacy, use privacy badger and uBlock Origin. I run both.
AdBlock plus doesn't block tracking. Blocking javascript doesn't block most tracking and has many inconvenient (for you) side-effects.
Speaking from experience - I am currently typing this on a break from implenting cross-site tracking code for my employer. It doesn't use any javascript FYI.
"Try actually turning off JavaScript and see how far you get..."
Pretty far, given that my browsers block almost all javascript by default, anything I turn on is 'temporary', and if I am on too long, I kill the browser and restart, or purge all the temporary permissions.
Occasionally I reach the point where I don't want to enable more scripts. Usually I leave the site.
If I must use the site, I start a clean read only OS in a VM, read the site, then reboot it.
No one is allowed to force me to run whatever they want on my actual environment. That would be a bad policy.
Almost nothing on the modern Internet works without Javascript
Wrong. Websites that are written properly will still be usable without Javascript, as they will have a <noscript> block to render the content without scripting.
Most websites are usable to an extent without Javascript enabled, although the pretty bits might break.
Personally, I use the NoScript addon and if a site that I visit is so badly written that it is unable to function with just the top-level domain being allowed, then I dump it and move on
"Almost nothing on the modern Internet works without Javascript"
As someone who avoids letting Javascript run by default, I can say that this hasn't been my experience at all. There is a class of sites that require it, but fortunately they tend to be sites I don't care about anyway. The vast majority of the web I see run just fine without JS,
I have the same image url on my end, and I checked a couple of different articles and they have the same image url as well so it isn't tagged to the article either.
The button uses jquery to launch the Facebook UI, passing the url of the page on which the button was clicked. There, you would then have to provide your facebook credentials if you are not already logged in from another tab, and at which point you are then tagged and tracked.
So, it looks like the button and image are not trackers in and of themselves, but if you click on it you will be launching a tracker.
The button is a "share on Facebook" button, which is why it requests you log in in order to complete the operation. Same goes for all other login protected sites you'd want to share an article with via the widget: if you aren't logged in, and the site doesn't allow sharing links anonymously, you'll have to log in to use it, and "be tracked". Somehow it doesn't scream as much "dark pattern" as what the article talks about w/regards to the "like" button which instead allegedly tracks by default?
"So, it looks like the button and image are not trackers in and of themselves, but if you click on it you will be launching a tracker."
First rule of magic. Look at this bright blue button with our logo over here. Nothing nefarious going on WITH THIS BUTTON. No don't look over there, nothing to see over there...
This post has been deleted by its author
Both IGotOut and Donn Bly claim to have the same url, and it's also shared across articles
Yes, as it should be - as it's the exact same icon! Its "unique" URL ensures it's only fetched once by your browser, and reused if it's in its cache, as it should be. With that URL structure, and assuming you don't clear all caches when your browser closes, and assuming you have enough space in your browser's cache (and... yadda yadda yadda) you only "pay" the "download price" for that image once every 13months, as that's the validity of a "design picker" URL.
If we ever were to change the image served by that path part (sans SHA), and for some obscure reason we wanted to retain its path part as-is (which is silly... just create a new file!), we would have the option of "simply" sticking in a new SHA, and everyone would fetch the new image, and cache the new image for 13mo.
This isn't _that_ useful for static assets like furniture images, or site logo, or the like - as those very seldom change and often enough we can/do/will just use a new file name. This is, though, _very_ useful for us to be able to cache-bust the site JS and CSS at-will "just" by changing the SHA in the URL.
The reason we put the cache bust string on all those places is simply because this way we can be conservative in the expiration time given when the "real" /Design/... file is requested (7d) and can be lax (13mo expiration) when the URL path is, instead, "more unique".
Think of the /design_picker/SHA/PATH as a RewriteRule for /PATH, which adds a longer expiration time - that's pretty much exactly what it is; no more, and no less.
It's (also) a cache buster, and it's working exactly how it should be - for the things that need it as a cache buster; for those who need it for the higher expiration time, it's also performing as required.
Hope this helps! For anything more, though, webmaster@
They don't need to run any scripts.
The like button calls a number of resources from Facebook servers into your browser session, which allows Facebook to read and write cookies, and obviously learn which page you are looking at when and on what browser. Doing this on a large proportion of the web pages you visit builds up a substantial database of your browsing activity.
"Doing this on a large proportion of the web pages you visit builds up a substantial database of your browsing activity."
Do things like Trackmenot (look it up) still reduce the value of this "database of browsing activity"?
Trackmenot is (was?) a browser extension which introduces a proportion of 'fake' browsing activities, unrelated to the real user's activities, thereby degrading the 'signal to noise' ratio of the snooped information, and (ultimately?) reducing the commercial value of the snooped info, perhaps to such an extent that it's no longer commercially intersting to carry on gathering it.
Back in Blank Reg's day, it was the government or related organisations that were snooping on the people. Nowadays, the snooping has been outsourced to the social networks, and people 'voluntarily' submit their private lives to the eyes of Facebook, Amazon, Paypal, etc. The top brass in and around those companies then find interesting ways of monetising the snooped info. The people paying for the snooped info (often, but not always, government people) *might* be less interested if they knew it was polluted with lots of fakery (or, they might not).
https://en.wikipedia.org/wiki/Max_Headroom_(TV_series)#Blank_Reg
I see no such button. Nor the buttons you describe as flanking it.
I have no recollection of getting rid of them in my browser settings, but I guess I must have done. Perhaps it was a side-effect of getting rid of animations, which are the kind of ad that I absolutely refuse to allow on my screen?
Hmm, come to think of it, I do recollect finding such irrelevant buttons annoying based on the sheer number of sites where the wretched things appear. Maybe I did explicitly block them?
"at the bottom of this article, in between the twitter button and the linkdim button, is a button with an f in it". There isn't for me. Looks like your browser is broken, did it somehow disable or uninstall ublock origin? You.should not surf the web unprotected, it exposes you to malware and your privacy to unscrupulous data hoarders.
This post has been deleted by its author
I did point this out in response to an article on El Reg that was critical of Facebook's tracking. The comments were moderated and of course mine was rejected. However, I was contacted by the article's author and it did seem there were some internal discussions about the value of the social media links. Perhaps this will be sufficient to tip the balance.
I have been using Firefox Focus, which avoids a lot of these problems. Sad to see it wither on the vine.
This post has been deleted by its author
Block them all. NoScript, Ublock Adguard and the rest or just hosts file and firewall rules.
Make your life a Social Media free zone.
If you have to use them then do it from a device or a VM that has nothing personal on it. One IT Savvy woman I know has a separate VM each one. These are all connected via different VPNs. This is going to extremes but these [redacted][redacted] companies will stop at nothing to steal your life and sell it to advertisers.
They really are blots on society and the sooner they die the better.
Sadly, with the increase in Trash TV aka Love Island/big Brother/Get me out of here, all aimed at the 16-34 age group, I don't see this happening anytime soon. Fools and their money are easily parted.
I filter them out at the DNS level - they are blacklisted on my DNS server.
But that isn't something the average user can do. This is something website owners need to be aware of and deal with in a responsible way.
Heise (a German IT publisher) released the c't Shariff library for web developers back in 2014. It displays locally cached black-and-white images for each social media site, along with a slider (off by default), which will then load the real image and associated code, when the user activates it. The site can remember the users selected state in cookies.
Original article, in German:
https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html
Github repository for Shariff:
https://github.com/heiseonline/shariff
Totally agree that a responsible website owner should use this. Of course, it is more profitable to sell out your users.
Bruce Schneier ( https://www.schneier.com/ ) uses a fork of this. There is no (good) reason for a website not to, other than wanting to abuse the trust of their readers. More info at (gotten by clicking the 'I' button in the line of grayed social-sharing icons) :
http://panzi.github.io/SocialSharePrivacy/
This is *news* ?!?
This is not a slight on El Reg, more on the fact that it's taken that long for anyone to flag this in a manner that gets it to court because that's been known for, well, almost as long as FB (and the rest of the asocial bunch) have been spreading these trackers.
There's another fun one floating around: a web developer is selling code that gets you logged with Google Analytics, even if you have it filtered out. In my opinion, that so much misses the point that the idiots deserve an educational court appearance too.
I see that f in button, and I'm not gonna clickee on that linkee
Wonder if every EU-based company will be removing their f in buttons from their websites in order not to fall foul of this ruling.
And will this, by implication, mean that world+dog also have to remove their f in buttons as well?
I see that f in button, and I'm not gonna clickee on that linkee
Ah, but that's the problem with the widget approach - you don't need to click it. You have visited a page with an active signalling component, and FB/Google et al now know you've been there. That's also the deceptive bit behind advertising. It's not just that you get fed ads that "suit" you (according to the algorithm du jour), the very fact that you visited a site is also data that gets back to the advertiser. It's not just Google Anal-ytics that gives your presence away.
I don't foresee a sudden rush to completely remove these social media buttons from EU website as they get too much benefit from them, as when a customer likes and shares on social media its free marketing for the business. So I expect they will just remove the tracking code and cookies and make them into static links to avoid being liable as a data collector.
"when a customer likes and shares on social media its free marketing for the business."
The implication of this ruling is that it's no longer free. It's potentially very expensive. It will take a while for this to filter through to marketroids given that their standard MO seems designed to put the business at risk post GDPR.
This is far from the breakthrough for privacy it appears to be from the article. The decision that FashionID is not a joint controller for the subsequent processing by Facebook is the crocodile on the sofa. The data subject is forced to sit on the sofa by FashionID, but whether the crocodile (Facebook) bites is not deemed to be under its control.
Joking apart, the fundamental intrusion into privacy is not the information that a data subject visited this specific site (the collection of which is under the control of FashionID) but the cumulative profile of the data subject's browsing, which is entirely and solely under the control of Facebook. The latter's reliance on the vastly abused lawful basis of "legitimate interest" allows a data subject to object, but fat chance of this highly lucrative profiling being abandoned. The best offer of redress that has been made to me in a similar case is "you are free to submit a right to be forgotten request after every transaction".
The one benefit of this judgement is that it provides grounds to object to a web site owner where automated and/or covert tracking is in use, but once again I don't hold out much hope of such an objection driving change. Legislation is toothless unless those constrained by it actually care.
Agreed to some extent. However Facebook have no say in whether a website uses this plugin it is up to the website to do it. Therefore the website is facilitating this data collection and is responsible to the visitor to make sure that this is in accordance to the law.
Why would a website wish to take a risk on facilitating the collection of data, as a controller, when they can't ensure sufficient safeguards are put in place to process that data accordingly. They can then be jointly liable.
What it should do is make websites remove these plugins (and use static links instead which will do the same thing without the passive tracking) so they don't risk getting fined.
"Legislation is toothless unless those constrained by it actually care."
Legislation with sufficiently large penalties is far from toothless if those enforcing it care to use them The whole principle of penalties is to make those constrained care whether they want to or not.
I am assuming that most sites who use these 'like' buttons are also employing the Facebook Pixel on their webpage.
If that is the case, then one would also assume (though with less probability of being correct, I think) that these sites would have their cookie policy set to inform users of this.
Naturally all these sites are set to not place any cookies at all before consent is given (hah), but once that is done is the like button not simply - from a visitor standpoint - a visible and interactive tracking pixel?
What I'm really asking is, would it not be more likely that pages that want to employ these trackers (or help FB, Twitter etc. track people) simply update their cookie information thing (which nobody reads anyway?) to reflect the use of the like button?
Hmm, the issue is that if a company wants to have subtle abuses - like crappy cookie consents, they will get away with it for a very long time (forever?). As the worst risk is they will be taken to court but could easily back out before that stage. In nearly every case they will carry on, claiming they are in the right, and will ignore requests from visitors and the ICO until the last minute.
Sure, morally sound companies will comply, and there is a load more awareness about it. However companies like Facebook which are obviously contradicting the law in a number of ways are still doing it until they get hauled up over it.
I see that any links posted on Facebook (I am 'forced' to use it at the moment due to circumstances outside my control) now get a facebook client ID appended to them. This means Facebook are sending, PII, to every website regardless of whether that website has asked for it or not.
As you say, there is more moral awareness, and occurances like this help raise the awareness of privacy.
A few years ago, it was a case of "yeah, they all track. what can you do?"
It will be a slow process, but hopefully things like GDPR will help to eventually make such tracking socially unacceptable, and sites who clean themselves up will want to show off their "green" credentials.
"In nearly every case they will carry on, claiming they are in the right, and will ignore requests from visitors and the ICO until the last minute."
This is behaviour which will result in the biggest fines. It will probably take quite a few big fines, well publicised before boards start to realise the risks presented by the self-narcisists in their marketing departments. Then there'll be the businesses owned by self-narcisists but those will always be with us.
Nope, for most companies they won't be fined at all for this sort of thing. They will agree to a change of behaviour - similar to the ASA, not allowing a advert to appear in its current form again (after the advert has already been run).
Let's see how many fines are handed out, now, to site that use social media plugins for 'likes' & 'shares'. I bet it will be so close to zero that I'll call it now as zero.
There is hardly a website worth visiting without the dreadful Google Analytics et al in it (which in turn makes many of said websites hardly worth visiting). Some declare it somewhere deep in their "we value your privacy" bullsh documentation, most do not. Yet there is no simple way for the web-browsing person to avoid being slurped naked (on desktop that is, on Andorid or other tablets the resistance is completely futile). I, for one, would love to see this practice addressed by authorities, and this development about the F-button goes in the right direction.
For those using Firefox with the Facebook Container enabled, that Container shows an alert while visiting El Reg with this message:
The Facebook "Like" and "Share" buttons that appear on shopping, news and other sites contain Facebook trackers. Even if you don’t use them, Facebook uses these buttons to track you. Facebook Container blocks these trackers and will display a fence icon to show you where these trackers were removed.
Facebook Container removes their trackers on other sites. The following will not work:
Facebook like, share and comment buttons on other websites. Facebook Container removes any trackers and related functionality.
Logging in or creating accounts on other websites using Facebook. To log in using your Facebook account, you must allow the site past the Facebook Container boundary.
https://support.mozilla.org/en-US/kb/facebook-container-prevent-facebook-tracking
No, no, no, nono, NOOO!
Under GDPR, both data controllers AND data processors can be held accountable if they don't comply with their respective obligations and both can be fined in the same proportions if found guilty. That's one of the bug changes that GDPR introduced, that DP can now be fined directly by regulators.
I've ALWAYS said that anything more than an image + link for ANY other site, Advert or Social media is immoral, toxic and dishonest data theft.
Now, Google APIs, Google Fonts, clear pixels, third party cookies (at all), 1st party cookie when you didn't log in, Google Analytics?
"I'm hazarding a guess it's close to - if not actually - zero."
That's because it needs to be followed up with fines that make whatever news media manglements read. And an awareness that this means YOU. Manglements catch on slowly. Once they do, just watch the panic set in.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
